I'm evaluating Blazor Server as an option for an internal facing application. In Razor Pages, I found a nice way to handle role-based authorization by throwing an exception from the code-behind OnGet methods. This is picked up from the app.UseExceptionHandler("/Error") page. After attempting to replicate that solution with Blazor Server, I have concluded that it is not a good fit.
The closest thing to a recommended solution I found in Blazor docs was the AuthorizeView:
<AuthorizeView Roles="groupsAllowedOnThisPage">
@secureChildContent
</AuthorizeView>What is less clear by the documentation, is whether this is secure for interactive components which bind events within the AuthorizeView. For instance, does the following solution expose MySecureMethod to an unauthorized user through the signalR circuit?
<AuthorizeView ...>
<button @onclick="MySecureMethod">...</button>
</AuthorizeView>
@code {
private void MySecureMethod() { ... }
}Based on what you're saying, it sounds like what you may be needing is the [Authorize] attribute. You can use it to secure the component and you can add role-based authorization. However, this only works with @page components that are reached via the Blazor Router and not child components. See more at: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-5.0#authorize-attribute
Sorry, I should have explained that I'm already using the [Authorize] attribute (which, without a roles or policy parameter actually only forces Authentication). My question is not whether the page will render, the `button` will not render, but rather is `MySecureMethod` bound to a SignalR event that could be manually triggered by a malicious user who is Authenticate but not in `groupsAllowedOnThisPage`. It's a deeper question about the behavior of the BlazorServer w/SignalR framework.